Messages - 1.2 Definition - Authentication
Issue #844
resolved
The current definition of Authentication does not go well with some form of authentication such as risk based authentication or location based authentication, etc. Also, it is too deterministic. The previously provisioned credential may be stolen.
Currently, it is defined as: Authentication Act of verifying End-User's possession of previously provisioned credentials.
Proposal: Authentication provision of assurance of the claimed identity of an entity [SOURCE: ISO/IEC 18014-2]
Comments (9)
-
-
- changed status to resolved
Fixed
#844- Provided a better Authentication definition.→ <<cset 5f6e8dd8da3d>>
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
Fixed
#844- Aligned use of "authentication" term with updated definition.→ <<cset f307a7c33619>>
-
- changed status to open
Please review updated text.
-
-
assigned issue to
Nat Sakimura
-
assigned issue to
-
reporter
After a bit of thinking, I now believe that this definition is wrong in several respect. Authentication should not be linked to authorized to log in. “Log in” is equivalent to be granted access to a protected resource, which happens to be a user interface. So, this definition is conflating the authorization and authentication. Authentication, as defined in X.1254 and ISO 29115 is “provision of assurance in the identity of an entity”. This is quite accurate, but Mike says this is too abstract. Perhaps could we say this?
Authentciation Process of verifying the accuracy of the Identity. Typically it involves the verification of the current or past possession of particular credentials including what the entity knows, possesses, has physical feature of, behaves, and combination of these utilizing heuristics.
-
We've refined the definition some more:
Process of verifying the right of an entity to use the identity. Typically it involves the verification of the current or past possession of particular credentials including what the entity knows, possesses, has physical feature of, behaves, and combination of these utilizing heuristics. The entity is often an End-User or a Client.
-
- changed status to resolved
Fixed
#844- Authentication definition→ <<cset 810da78b5232>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Messages
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
A normal developer, when confronted with "provision of assurance of the claimed identity of an entity", will have no idea what it means.
Over Skype, Nat and I came to this proposed definition instead:
verifying that the End-User is authorized to log in with a particular digital identity, which may involve verification of the current or past possession of particular credentials or knowledge, or utilizing risk-based assessment techniques.